Siemens said this week that fixes and mitigations are now available for many serious vulnerabilities that may be used to remotely crash some of the company’s SIMATIC systems. On Tuesday, the German industrial behemoth issued nine warnings to fix a total of 27 vulnerabilities.
One of the details of the warnings three high-severity weaknesses that may be used to execute denial-of-service (DoS) attacks against Siemens programmable logic controllers (PLCs) and related devices by a remote, unauthenticated attacker. CVE-2021-37185, CVE-2021-37204, and CVE-2021-37205 are the security flaws that may be exploited by delivering specially crafted packets to the targeted device via TCP port 102.
Crashing a PLC in a real-world industrial context can significantly impact and create substantial disruption. According to Siemens, SIMATIC S7-1200 and S7-1500 PLCs, SIMATIC Drive Controller, ET 200SP Open Controller, S7-1500 Software Controller, SIMATIC S7-PLCSIM Advanced, and SIMATIC S7-PLCSIM Advanced.
Gao Jian, an independent ICS security researcher who has been credited by Siemens with exposing the vulnerabilities, said that these are only a few of the eight he has revealed to the firm. The remaining concerns are being looked upon. In early August 2021, the researcher began relaying his results to Siemens. Jian clarified in an alert that vulnerabilities, called S7+:Crash, are connected to the OMS+ communication protocol stack used by Siemens equipment.
By selecting an access level option and entering a password, Siemens PLCs may be safeguarded against unauthorized operations. However, the researcher said that attack techniques uncovered by the researcher operate even if the “complete protection” option is chosen. Furthermore, the loopholes may be exploited even if a newly released feature secures connections between PLCs and PCs or HMIs is activated.
A threat actor with access to the targeted device on TCP port 102 can exploit the “S7+:Crash” vulnerabilities. If the PLC is exposed due to a misconfiguration, it may exploit it directly from the internet.
“Note that even the SIMATIC products enabled with access protection and secure communication (TLS encryption) cannot mitigate these vulnerabilities, and there is no firewall capable of parsing the S7CommPlus_TLS protocol, making it very difficult to prevent such attacks,” Jian explained.